RPC over HTTPS on server 2003

RPC over HTTPS on server 2003

cas v1.0

-Create the certificate for use on IIS and IE on the client

Use any Linux box with openssl installed and run the following:

Make sure that the common name is the name of the rpc proxy (or internet facing PC eg the firewall and not the internal netbios name of the Exchange server)

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out naledi.p12 (you can call it anything)

On the server, use IIS - default website – directory security to import this certificate from a file.

On the client, use IE and import this into the Trusted Root Certification Authorities.

Also, install the certificate on the server by right clicking on the file and selecting install. Enter the default password that was assigned when the certificate was made (normally tttt).

Then when viewing the certificate in IIS on the server it should now show that it is intended for the following purposes:

All issuance policies

All application policies

If the certificate, when viewed says something like “This has been revoked”, then remove the certificate from “Untrusted Publishers” in the certificate section of IE.

-Configure the exchange server to use RPC over HTTPS

Go to Add/Remove Programs - Click Add Remove Windows Components - click Networking Services, and then click Details. Click to select the RPC over HTTP Proxy check box, click OK, and then click Next.

Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.

-Configure the RPC virtual directory in Internet Information Services

Click the Directory Security tab for rpc, and then click Edit under Authentication and access control.

Click to clear the Enable anonymous access check box.

Click to select the Basic authentication (password is sent in clear text) check box.

You receive the following message:

The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS(orSSL) connections.

Are you sure you want to continue?

Click yes

Also, set RPC to use SSL and require 128bit encryption

-Configure the RPC proxy server to use the correct ports

Check the following keys in the registry are correct:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Value name: Rpc/HTTP Port

Value type: REG_DWORD

Value data: 0x1771 (Decimal 6001)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: HTTP Port

Value type: REG_DWORD

Value data: 0x1772 (Decimal 6002)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: Rpc/HTTP NSPI Port

Value type: REG_DWORD

Value data: 0x1774 (Decimal 6004)

The following key you will have to amend

(here using naledi as an example)

ws1=the internal netbios name of the exchange server

fw1.naledi.org.za=the external internet facing machine you will specify as the rpc proxy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy\ValidPorts

ws1:593;ws1:6001-6002;ws1.naledi.org.za:593;ws1.naledi.org.za:6001-6002;fw1.naledi.org.za:593;fw1.naledi.org.za:6001-6002;ws1:6004;ws1.naledi.org.za:6004;fw1.naledi.org.za:6004

Install the rktools resource kit if not installed in order to check the ports are set up right using

rpccfg /hd which should show:

C:\WINDOWS\rpccfg /hd

Server Name Port Settings

---------------------------------------------------------

fw1.naledi.org.za 593 6001-6002 6004

ws1 593 6001-6002 6004

ws1.naledi.org.za 593 6001-6002 6004

-Configure all your global catalogs to use specific ports for RPC over HTTP for directory services

Click Start, point to Microsoft Exchange, and then click System Manager.

Expand your organization, expand Administrative Groups > First Administrative Group > Servers.

Right-click on your server name and select Properties.

On the General tab, verify that you have SP1 installed. Verify that a tab called RPC-HTTP is present.

On the RPC-HTTP tab, click on RPC-HTTP Back-End Server.

You might get an error:

Exchange System Manager

There is no RPC-HTTP front-end in your Exchange organization. There must be at least one RPC-HTTP front-end server in the organization before the RPC-HTTP back-end server can be accessed.

Acknowledge the error.

    • You need to reboot your server for the settings to take place.

    • Configure the firewall to DNAT port 443 to the internal IP address of the Windows box

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 443 -d 192.168.0.3 -o $INTIF -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 443 -j DNAT --to 192.168.0.3:443

Client Side

-Add the certificate into IE as described earlier

-Add the RPC profile into Outlook

Open the control panel, double click mail, click proflies, click add, select the netbios name for the exchange server, and on the connection tab under 'more settings', select:

Connect to my Exchange mailbox usng HTTP

Click on Exchange Proxy Settings and enter the external name eg https://mail.igd.org.za and change authentication to 'Basic Authentication'.

Save the profile and test.